Evolution of a threat: Expect ransomware targets, methods to broaden

Criminals expand turf with malware that can do more than encrypt data

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

As many security experts predicted, 2016 became the “year of extortion.” Ransomware rose to the top of the most prolific and most lucrative malware threats.

But as much as the bad actors had a banner year, they may be just warming up.

“Ransomware is the new scourge of the internet. It’s really an epidemic and … the No. 1 worry for IT pros,” says Stu Sjouwerman, CEO of KnowBe4, a provider of cybersecurity awareness training.

Related: Ransomware hits keep coming—and victims keep paying

Some security vendors—including Trend Micro and McAfee—expect to see ransomware peak later this year and its growth to plateau.

But that doesn’t mean organizations will be able to breathe easy. The threat will continue to grow as the bad actors diversify both their targets and methods.

Factors that will play into the growing ransomware trend include the average users’ overestimation of their ability to identify phishing as a social engineering attack, says Joe Opacki, the vice president of threat research at PhishLabs, which provides fraud and phishing protection.

Added to that weak human link is the low barrier to entry for this type of crime.

Joe Opacki, PhishLabs vice president of threat research
Joe Opacki, PhishLabs vice president of threat research

“As long as it continues to be an easy crime and people overestimate their ability to identify the threat vector, it (ransomware) will continue to be very profitable,” says Opacki, whose career has included advanced digital forensics at the FBI.

What to expect

PhishLabs’ recently released report on 2017 phishing trends and intelligence noted that last year saw an evolution in tactics. Rather than targeting individuals, attackers shifted their focus to organizations, especially to those that are more likely to pay ransom. This shift will continue to play out as attackers expand to new turf.

Some 2017 trends noted in the PhishLabs report:

• A continuing move to other platforms, such as Mac OS X, Linux and mobile

• The exploitation of Internet of Things vulnerabilities by ransomware actors

• An expanded functionality of ransomware, such as extricating data, enrolling computers into botnets, and harvesting login credentials.

Hackers stretch their wings

The notion behind the expansion of platforms stems partly from the overall higher interest in writing malware, says Joshua Shilko, PhishLabs’ security threat analyst and ransomware expert.

“Last year we saw … multiplatform malware, including multiplatform ransomware being written,” he says. “So you can write one payload and build it so it can run on Windows, Unix, OS X and Linux.”

Mobile devices also are a growing area of interest for attackers. The newest ransomware, targeting Android phones, was discovered in the Google Play Store in January.

“Bad guys haven’t yet spent too much time on [mobile phones], but it’s only a matter of time,” Sjouwerman says.

More contextual attacks

Markus Jakobsson, chief scientist at email-security vendor Agari, expects ransomware purveyors to become better at using the right context for spear phishing attacks. These are emails that may be from strangers, but the contextual information makes it look legit.

One example was the spear phishing campaign by Russian hackers sent to think tanks and nongovernment organizations immediately after the U.S. election. The emails focused on topics such as national security, and some appeared to be forwards from the Clinton Foundation discussing the election results. At least one version used a compromised Harvard account.

“The context was right because people who received the email were primed to want to read about this topic—it was perfect social engineering,” says Jakobsson, who recently released the book “Understanding Social Engineering Based Scams.”

He says that Agari began seeing trickle-down attacks from that campaign about three weeks later, slightly retooled to target enterprises and individuals with high net worth.

“At that point it was weaponized to be ransomware,” he says.

Leveraging stolen email credentials

Another tactic of growing concern is the reuse of login credentials stolen in a data breach. That would include the two massive Yahoo breaches disclosed last year that impacted a total of 1.5 billion accounts.

This is especially a problem, Opacki says, because many online services and software-as-a-service providers use email addresses instead of unique user names for logins. Because people often reuse passwords, cyber criminals can create “password reuse packs” to attack other websites and services.

“We believe there’s going to be a shift in focus for cybercriminals … to use a password reuse attack in multiple places,” he says.

Jakobsson says in the case of Yahoo, bad actors also could use compromised email accounts to bootstrap future attacks by harvesting contextual information. For example, automated scanners could identify accounts that could be used as launchpads for new attacks, as well as to identify accounts connected to potential targets such as individuals with high net worth.

“It’s not prominent at this point, but we’re seeing it as a very powerful and successful attack that we think will come up in the future,” he says.

Sjouwerman thinks ransomware is still in its early stages. He points to the quick proliferation of software after starting slowly more than 20 years ago.

“You will see the same exponential growth over time in ransomware,” he says, “simply because ransomware has a fast return on investment.”

More stories related to evolving ransomware:
Threat of ransomware growing for mobile phones
Ransomware attacks are a fact of life, so real-time detection, response is critical
With rise of ransomware, keeping intruders out of network is crucial